OpenSSH 3.5 has been released

Wednesday, 16 October 2002, 11:10 AM EST

OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support.

Changes since OpenSSH 3.4:

* Improved support for Privilege Separation (Portability, Kerberos, PermitRootLogin handling).

* ssh(1) prints out all known host keys for a host if it receives an unknown host key of a different type.

* Fixed AES/Rijndael EVP integration for OpenSSL < 0.9.7 (caused problems with bounds checking patches for gcc).

* ssh-keysign(8) is disabled by default and only enabled if the
HostbasedAuthentication option is enabled in the global ssh_config(5) file.

* ssh-keysign(8) uses RSA blinding in order to avoid timing attacks against the RSA host key.

* A use-after-free bug was fixed in ssh-keysign(8). This bug broke hostbased authentication on several platforms.

* ssh-agent(1) is now installed setgid in order to avoid ptrace(2) attacks.

* ssh-agent(1) now restricts the access with getpeereid(2) (or equivalent, where available).

* sshd(8) no longer uses the ASN.1 parsing code from libcrypto when verifying RSA signatures.

* sshd(8) now sets the SSH_CONNECTION environment variable.

* Enhanced "ls" support for the sftp(1) client, including globbing and detailed listings.

* ssh(1) now always falls back to uncompressed sessions, if the server does not support compression.

* The default behavior of sshd(8) with regard to user settable environ variables has changed: the new option PermitUserEnvironment is disabled by default, see sshd_config(5).

* The default value for LoginGraceTime has been changed from 600 to 120 seconds, see sshd_config(5).

* Removed erroneous SO_LINGER handling.

[ Read more ]


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th